diff --git a/CHANGELOG.md b/CHANGELOG.md index 68f4a371b..24a724e04 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,3 +14,4 @@ - [docs:update configuration metadata.](https://github.com/Tencent/spring-cloud-tencent/pull/473) - [Feature: delete implement ServiceInstance](https://github.com/Tencent/spring-cloud-tencent/pull/482) - [Bugfix: update byte-buddy scope test to compile](https://github.com/Tencent/spring-cloud-tencent/pull/497) +- [Fix the code analysis error.](https://github.com/Tencent/spring-cloud-tencent/pull/499) diff --git a/spring-cloud-starter-tencent-polaris-config/src/main/java/com/tencent/cloud/polaris/config/adapter/PolarisPropertySourceAutoRefresher.java b/spring-cloud-starter-tencent-polaris-config/src/main/java/com/tencent/cloud/polaris/config/adapter/PolarisPropertySourceAutoRefresher.java index fb673680e..8f66c42b1 100644 --- a/spring-cloud-starter-tencent-polaris-config/src/main/java/com/tencent/cloud/polaris/config/adapter/PolarisPropertySourceAutoRefresher.java +++ b/spring-cloud-starter-tencent-polaris-config/src/main/java/com/tencent/cloud/polaris/config/adapter/PolarisPropertySourceAutoRefresher.java @@ -84,7 +84,7 @@ public class PolarisPropertySourceAutoRefresher implements ApplicationListenerorg.springframework.cloud spring-cloud-circuitbreaker-spring-retry + + + org.owasp.esapi + esapi + diff --git a/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/java/com/tencent/cloud/polaris/circuitbreaker/example/ServiceAController.java b/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/java/com/tencent/cloud/polaris/circuitbreaker/example/ServiceAController.java index 73fc55bd3..04570498c 100644 --- a/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/java/com/tencent/cloud/polaris/circuitbreaker/example/ServiceAController.java +++ b/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/java/com/tencent/cloud/polaris/circuitbreaker/example/ServiceAController.java @@ -17,6 +17,8 @@ package com.tencent.cloud.polaris.circuitbreaker.example; +import org.owasp.esapi.ESAPI; + import org.springframework.beans.factory.annotation.Autowired; import org.springframework.http.ResponseEntity; import org.springframework.web.bind.annotation.GetMapping; @@ -59,8 +61,15 @@ public class ServiceAController { */ @GetMapping("/testRest") public String testRest() { - ResponseEntity entity = restTemplate - .getForEntity("http://polaris-circuitbreaker-example-b/example/service/b/info", String.class); - return entity.getBody(); + ResponseEntity entity = restTemplate.getForEntity( + "http://polaris-circuitbreaker-example-b/example/service/b/info", + String.class); + String response = entity.getBody(); + return cleanXSS(response); + } + + private String cleanXSS(String str) { + str = ESAPI.encoder().encodeForHTML(str); + return str; } } diff --git a/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/resources/ESAPI.properties b/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/resources/ESAPI.properties new file mode 100644 index 000000000..32df629d9 --- /dev/null +++ b/spring-cloud-tencent-examples/polaris-circuitbreaker-example/polaris-circuitbreaker-example-a/src/main/resources/ESAPI.properties @@ -0,0 +1,14 @@ +ESAPI.printProperties=true +ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder +ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory + +Encoder.AllowMultipleEncoding=false +Encoder.AllowMixedEncoding=false +Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec + +Logger.LogEncodingRequired=false +Logger.UserInfo=false +Logger.ClientInfo=false +Logger.ApplicationName=ExampleApplication +Logger.LogApplicationName=false +Logger.LogServerIP=false diff --git a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/pom.xml b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/pom.xml index 4cb4412c6..1f681bb38 100644 --- a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/pom.xml +++ b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/pom.xml @@ -23,5 +23,10 @@ org.springframework.boot spring-boot-starter-web + + + org.owasp.esapi + esapi + \ No newline at end of file diff --git a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java index c603c3cea..53d9fdf71 100644 --- a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java +++ b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java @@ -21,6 +21,7 @@ import java.io.UnsupportedEncodingException; import java.net.URLDecoder; import com.tencent.cloud.common.constant.MetadataConstant; +import org.owasp.esapi.ESAPI; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -66,7 +67,13 @@ public class GatewayCalleeController { public String echoHeader(@RequestHeader(MetadataConstant.HeaderName.CUSTOM_METADATA) String metadataStr) throws UnsupportedEncodingException { LOG.info(URLDecoder.decode(metadataStr, UTF_8)); - return URLDecoder.decode(metadataStr, UTF_8); + metadataStr = URLDecoder.decode(metadataStr, UTF_8); + return cleanXSS(metadataStr); + } + + private String cleanXSS(String str) { + str = ESAPI.encoder().encodeForHTML(str); + return str; } } diff --git a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/resources/ESAPI.properties b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/resources/ESAPI.properties new file mode 100644 index 000000000..32df629d9 --- /dev/null +++ b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service/src/main/resources/ESAPI.properties @@ -0,0 +1,14 @@ +ESAPI.printProperties=true +ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder +ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory + +Encoder.AllowMultipleEncoding=false +Encoder.AllowMixedEncoding=false +Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec + +Logger.LogEncodingRequired=false +Logger.UserInfo=false +Logger.ClientInfo=false +Logger.ApplicationName=ExampleApplication +Logger.LogApplicationName=false +Logger.LogServerIP=false diff --git a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/pom.xml b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/pom.xml index 842363af9..5d8f34fdf 100644 --- a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/pom.xml +++ b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/pom.xml @@ -23,6 +23,11 @@ org.springframework.boot spring-boot-starter-web + + + org.owasp.esapi + esapi + diff --git a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java index c603c3cea..53d9fdf71 100644 --- a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java +++ b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/java/com/tencent/cloud/polaris/gateway/example/callee/GatewayCalleeController.java @@ -21,6 +21,7 @@ import java.io.UnsupportedEncodingException; import java.net.URLDecoder; import com.tencent.cloud.common.constant.MetadataConstant; +import org.owasp.esapi.ESAPI; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -66,7 +67,13 @@ public class GatewayCalleeController { public String echoHeader(@RequestHeader(MetadataConstant.HeaderName.CUSTOM_METADATA) String metadataStr) throws UnsupportedEncodingException { LOG.info(URLDecoder.decode(metadataStr, UTF_8)); - return URLDecoder.decode(metadataStr, UTF_8); + metadataStr = URLDecoder.decode(metadataStr, UTF_8); + return cleanXSS(metadataStr); + } + + private String cleanXSS(String str) { + str = ESAPI.encoder().encodeForHTML(str); + return str; } } diff --git a/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/resources/ESAPI.properties b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/resources/ESAPI.properties new file mode 100644 index 000000000..32df629d9 --- /dev/null +++ b/spring-cloud-tencent-examples/polaris-gateway-example/gateway-callee-service2/src/main/resources/ESAPI.properties @@ -0,0 +1,14 @@ +ESAPI.printProperties=true +ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder +ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory + +Encoder.AllowMultipleEncoding=false +Encoder.AllowMixedEncoding=false +Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec + +Logger.LogEncodingRequired=false +Logger.UserInfo=false +Logger.ClientInfo=false +Logger.ApplicationName=ExampleApplication +Logger.LogApplicationName=false +Logger.LogServerIP=false diff --git a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/pom.xml b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/pom.xml index 253d3739a..bbf3bdb93 100644 --- a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/pom.xml +++ b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/pom.xml @@ -17,6 +17,11 @@ com.tencent.cloud spring-cloud-starter-tencent-polaris-discovery + + + org.owasp.esapi + esapi + diff --git a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java index 925031a7b..f42cd969d 100644 --- a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java +++ b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java @@ -18,6 +18,7 @@ package com.tencent.cloud.polaris.router.example; +import org.owasp.esapi.ESAPI; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -48,7 +49,15 @@ public class RouterCalleeController { @PostMapping("/info") public String info(String name, @RequestBody User user) { LOG.info("Discovery Service Callee [{}] is called.", port); - return String.format("Discovery Service Callee [%s] is called. user = %s", port, user); + return String.format("Discovery Service Callee [%s] is called. user = %s", port, cleanXSS(user)); + } + + private User cleanXSS(User user) { + User u = new User(); + String name = ESAPI.encoder().encodeForHTML(user.getName()); + u.setName(name); + u.setAge(user.getAge()); + return u; } } diff --git a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/resources/ESAPI.properties b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/resources/ESAPI.properties new file mode 100644 index 000000000..32df629d9 --- /dev/null +++ b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service1/src/main/resources/ESAPI.properties @@ -0,0 +1,14 @@ +ESAPI.printProperties=true +ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder +ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory + +Encoder.AllowMultipleEncoding=false +Encoder.AllowMixedEncoding=false +Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec + +Logger.LogEncodingRequired=false +Logger.UserInfo=false +Logger.ClientInfo=false +Logger.ApplicationName=ExampleApplication +Logger.LogApplicationName=false +Logger.LogServerIP=false diff --git a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/pom.xml b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/pom.xml index 0dd00a788..2397f4481 100644 --- a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/pom.xml +++ b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/pom.xml @@ -17,6 +17,11 @@ com.tencent.cloud spring-cloud-starter-tencent-polaris-discovery + + + org.owasp.esapi + esapi + diff --git a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java index b3e365ab8..6d6915b7f 100644 --- a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java +++ b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/java/com/tencent/cloud/polaris/router/example/RouterCalleeController.java @@ -18,6 +18,7 @@ package com.tencent.cloud.polaris.router.example; +import org.owasp.esapi.ESAPI; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -49,7 +50,15 @@ public class RouterCalleeController { @PostMapping("/info") public String info(@RequestParam("name") String name, @RequestBody User user) { LOG.info("Discovery Service Callee [{}] is called.", port); - return String.format("Discovery Service Callee [%s] is called. user = %s", port, user); + return String.format("Discovery Service Callee [%s] is called. user = %s", port, cleanXSS(user)); + } + + private User cleanXSS(User user) { + User u = new User(); + String name = ESAPI.encoder().encodeForHTML(user.getName()); + u.setName(name); + u.setAge(user.getAge()); + return u; } } diff --git a/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/resources/ESAPI.properties b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/resources/ESAPI.properties new file mode 100644 index 000000000..32df629d9 --- /dev/null +++ b/spring-cloud-tencent-examples/polaris-router-example/router-callee-service2/src/main/resources/ESAPI.properties @@ -0,0 +1,14 @@ +ESAPI.printProperties=true +ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder +ESAPI.Logger=org.owasp.esapi.logging.slf4j.Slf4JLogFactory + +Encoder.AllowMultipleEncoding=false +Encoder.AllowMixedEncoding=false +Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec + +Logger.LogEncodingRequired=false +Logger.UserInfo=false +Logger.ClientInfo=false +Logger.ApplicationName=ExampleApplication +Logger.LogApplicationName=false +Logger.LogServerIP=false diff --git a/spring-cloud-tencent-examples/pom.xml b/spring-cloud-tencent-examples/pom.xml index a4c6c9bda..40f7b2ed6 100644 --- a/spring-cloud-tencent-examples/pom.xml +++ b/spring-cloud-tencent-examples/pom.xml @@ -30,4 +30,14 @@ true + + + + org.owasp.esapi + esapi + 2.1.0.1 + + + +